← Glossary·Privacy

Schrems II

GDPR

2020 CJEU ruling invalidating Privacy Shield and requiring case-by-case TIA for EU→US data transfers.

Schrems II (Case C-311/18, July 2020) invalidated the EU–US Privacy Shield framework and held that controllers using SCCs must verify the third country provides essentially equivalent protection — failing which, supplementary technical, contractual, or organisational measures are required.

Why it matters
Schrems II is the legal foundation for the €1.2B Meta fine and ongoing challenges to the EU–US Data Privacy Framework. Encryption-at-rest with keys held inside the EEA is the most defensible technical safeguard.

Related terms

Standard Contractual Clauses (SCCs)
EU Commission-approved clauses providing a lawful basis for personal-data transfers outside the EEA.
GDPR
EU regulation governing processing of personal data of EU/EEA data subjects; fines up to €20M or 4% of global turnover.
Personal Data (GDPR)
Any information relating to an identified or identifiable natural person (data subject) — Art. 4(1).

Does your program actually cover Schrems II?

Run a free ComplianceIQ audit against GDPR and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free GDPR auditBack to glossary